Cybercrime law in South Africa explained

Find out about South African cyber crime law and how they affect you or your organisation. The law recognises the criminal threat that exists to cyberspace and as a result cyber crimes were introduced into the law by Chapter XIII of the Electronic Communications and Transactions Act of 2002 (ECT Act). What are these laws? Are they effective?

The cyber crimes in South African largely follow international trends. You should check that neither you, nor your staff, fall foul of the laws as they carry stiff penalties. It is important for you to know how these laws can assist you in taking action against criminals who commit cyber crimes against you and your business’s electronic assets. These cyber crimes should compliment your current information security strategy.

Please bear in mind that the current cyber crimes law is in the process of being amended by Parliament who has introduced the Cybercrimes Bill.

Background

We live in an age where information is power and electronic assets (such as your software, websites, databases, intranets, accounting records, customer lists and other data) are an integral part of most businesses – indeed they are potentially as valuable as any physical asset and in some cases, far more so. Any threat to your electronic assets should therefore be taken very seriously.

The incidence of computer-related crime seems to be on the rise. What increases the potential pool of criminals is that the rationale behind the commission of these crimes is not solely personal gain, but sometimes:

disgruntled employees may seek to destroy vital data,

hackers may merely want to prove that a website or server can be hacked, or

a terrorist realises that a cyber-attack could cause mass chaos and terror.

There are two aspects to the protection of your electronic assets, namely information security (both physical and logical) and the control of the conduct of third parties. In this regard:

Information security represents the measures you can take to protect yourself. The passwords, firewalls and access control measures that you implement are the electronic equivalent to the gates, barbed wire fences and surveillance equipment you use to protect your physical assets.

One way in which the conduct of third parties can be influenced is by the passing of laws which regulate such conduct. Whilst such laws will not always prevent the undesirable conduct, it will, ideally, limit it and create negative consequences for those caught breaching it. To a greater or lesser extent, this is what the ECT Act, with its cyber crimes, has sought to achieve.

Cyber Crime Law

The ECT act creates the following offences in Chapter XIII:

The unauthorised access or interception of data is a crime. In our view hacking, cracking and packet sniffing would fall within this category.

The unauthorised interference with data in a way that causes such data to be modified, destroyed or otherwise rendered ineffective is a crime. The creation and spreading of viruses, Trojan horses and worms would fall within this category. However, it is important to realise that, in order to be guilty of an offence in terms of the ECT Act, you must have the intent to commit the crime. So there is no need for anyone to worry (from a criminal perspective anyway) if a virus that you’ve received sends itself to your whole address book. While you should have had the most recent pattern or update for your anti-virus software, you’re not a criminal because the virus was not intentionally spread.

The unlawful use of devices that are designed to overcome security measures for the protection of data is now a crime and this would include the creation or use of software used for cracking.

The intentional overloading of web servers with the intention of crashing them (denial of service attack) is a crime. The Distributed Denial of Service (DDoS) attack that started yesterday is a great example.

The crimes of computer-related extortion, fraud and forgery are also recognised. For example, if someone threatens to hack your website or system unless you pay them a lot of money, then this would amount to extortion. (section 87)

Any person who attempts to commit any one of these crimes (or who aids or abets someone to commit these crimes) is also guilty of an offence. (section 88)

Please read the actual sections of the ECT act for the precise definitions of the crimes. It is important to consider and the specific and exact wording of the sections.

Investigation and Enforcement

At a time when questions are being asked as to the enforceability of many laws being passed by parliament, the question obviously arises as to whether these new cyber crimes will be enforceable?

Quite a radical approach adopted by the ECT Act is the provision which vests jurisdiction in the South African courts to try an offender if, amongst others, the offence:

or any part thereof or any preparation in contemplation of such offence was committed in South Africa;

was committed by a South African citizen, permanent resident or person who was carrying on business in South Africa.

These are extremely wide and the question, which begs to be asked, is how long the arm of the South African law can and will be when we are struggling to combat basic everyday crime within our own borders?

In the United States, Computer Hacking and Intellectual Property (CHIP) units have been created specifically for this purpose. One cannot help imagining a virtual equivalent of the police officers from the popular TV series CHIPs in the late 80’s.

In South Africa, one of the proposed enforcement mechanisms is that of cyber inspectors who will, amongst other functions, be monitoring and reporting illegal activities. To date, no cyber inspectors have been appointed. The cyber inspectors have the powers (with a warrant) to inspect and search your premises, information systems or data and seize your records. But because there aren’t any cyber inspectors don’t expect one to arrive at reception armed with a badge and a warrant!

Another means by which the provisions will be enforced is by the reporting of such illegal activity by victims or witnesses. A number of factors threaten to frustrate the enforcement of the provisions by this means, namely:

many victims of cyber crime do not want it to be publicly known that their systems have been breached and are therefore unwilling to report the crime. Can you imagine the negative public perception issues which would arise if a bank or a medical aid admitted to its website or databases being hacked (and it is often parties such as banks and security agencies like the NIA or FBI that present themselves as desirable targets for hackers seeking a challenge);

very often it is extremely difficult to track and identify the hacker and even if this is achieved, they may be in a foreign jurisdiction. Thus it may not be practically feasible to bring such a person to book.

The Penalties

Do the cyber crime provisions of the ECT Act have any teeth? Will the cyber crimes act as a deterrent and force people to comply with the law? Depending on the nature of the offence, the penalties for committing a cyber crime range from an unspecified fine to imprisonment for a period between one to five years. In the United States the penalty, in terms of their legislation, is US$250,000 or 5 years imprisonment but in our view, we are unlikely to see sentences of this magnitude being imposed on cyber criminals. We are not aware of any fine or imprisonment in South Africa pursuant to these cyber crimes.

Council of Europe’s Convention on Cybercrime

South Africa is a signatory to the Council of Europe’s Convention on Cybercrime. Whilst the ECT Act complies with the substantive provisions of the convention, neither the ECT Act nor the Criminal Procedure Act complies with the conventions procedural requirements (e.g. the provision of a 24 x 7 command centre).